search

alibaba / higress

Cloud Native API Gateway | 云原生API网关
https://higress.io
Apache License 2.0
2.52k stars 415 forks source link

Can `AutomaticHttps`+`CredentialConfig` set secret at other namespace? #1066

Open zzjin opened 1 week ago

zzjin commented 1 week ago

Why do you need it?

CredentialConfig can not use other namespace's TLS secret.

How could it be?

users can set other namespaces secrets for domains.

Other related information

kubernetes's ingress-nginx controller can use --default-ssl-certificate like "default/secret". @see: https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-ssl-certificate

johnlanni commented 2 days ago

cc @2456868764

zzjin commented 1 day ago

The simple way: add parse logic with CredentialConfig.TLSSecret, eg support "sealos-system/wildcard-cert" instead of "wildcard-cert" for higress-system namespace.

automaticHttps: false
fallbackForInvalidSecret: true
acmeIssuer:
- email: cloud@sealos.io
  name: letsencrypt
renewBeforeDays: 1
credentialConfig:
- domains:
    - '*.sealos.io'
    - 'sealos.io'
  tlsSecret: sealos-system/wildcard-cert
  # tlsSecret: wildcard-cert

But here comes the conflict: when user also set AutomaticHttps=true alongside with namespace-ed tlsSecret, the SecretMgr cannot support it since it can only update and manage secret under higress-system own namespace.

https://github.com/alibaba/higress/blob/main/pkg/cert/secret.go#L48-L70

johnlanni commented 1 day ago

I am inclined to enable automatic HTTPS, maintaining consistent behavior, which also entails writing to the designated namespace's secret. It should be noted that this requires adjusting the clusterrole to grant higress access to write to secrets in other namespaces.